A Year in AWS Config and AWS Config Rules

AWS Config is a fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. You can use AWS Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. Over the last year, we expanded the service coverage for Config in 7 new regions, and expanded support for Config rules in 9 new regions. We added support for 15 resource types from 6 new services, and developed 18 new managed rules. Let’s look back on these significant new features and updates to Config and Config Rules that we introduced in 2016.

New regions: AWS Config is available in the Asia Pacific (Seoul), Asia Pacific (Mumbai), China (Beijing), Canada (Central), EU (London), US East (Ohio), and GovCloud (US) Regions, in addition to 9 other regions we added in previous years. Similarly, you can now verify compliance policies for provisioning and configuring AWS resources with Config Rules in US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), US East (Ohio), and US West (N. California) Regions, in addition to US East (N. Virginia). See all regions and endpoints supported by AWS Config and AWS Config Rules here.

Check whether your running instances are using specified AMIs. You can specify the tags that identify the AMIs. Running instances with AMIs that don’t have at least one of the specified tags are flagged as noncompliant.

Support for EC2 software inventory: You can gain visibility into AWS and on-premises operating system configurations, system-level updates, installed applications, network configuration, and more through AWS Config integration with Amazon EC2 Systems Manager. Amazon EC2 Systems Manager is available free of charge, so you only pay for the resources you manage.

AWS CloudTrail integration: The AWS Config console integrates with AWS CloudTrail to display API events associated with configuration changes. The API events contain details such as the name of the API, user identity of the caller, and the time at which the API call was made. You can use this information to correlate the API calls that may have resulted in the configuration changes recorded by AWS Config. To learn more about this feature, read our documentation here.

Compliance certifications: AWS Config is certified with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2, which enables you to rely on AWS infrastructure as you manage your own PCI DSS compliance certification. AWS Config is now also certified with International Organization for Standardization and meets requirements of ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.

The AWS Config team is excited about 2017 and is looking forward to continually improving Config and Config Rules functionality. To learn more about Config features, see the AWS Config page.